We briefly mentioned how Spring Python Security stores user credentials in the SecurityContextHolder. This provides an easy way to lookup important security information from within our application without having to alter our APIs.
So far, we have managed to develop a relatively simple web application, and then wrap it with a layer of security that protects URLs based on roles. There may be situations where that isn't enough. While protection of URLs is nice, it may be useful to disable or hide some links based on the user's role power. This is a more fine grained option, and is easy to implement.
In the definition of the Page object that is used to render html, the footer definition contains this:
def footer(self): """Standard footer used for all pages.""" footer = """ <ul> <li><a href="/edit/""" + self.article + """">Edit </a></li> </ul> <a href="http://springpythonbook.com">Spring Python book </a> </body> """ return footer
In this situation, when viewing an article, we present the user with option to click on the edit link. However, if the user doesn't have ROLE_EDIT, the request will redirect him to an access denied page.
The preferred solution would be to hide this link so they don't click on it in the first place. Reducing the opportunities for users to wander into access denied pages not only reduces the demand on the security layer, but also improves the user experience. But our current security solution we have put in doesn't deal with conditionally altering HTML. Writing a filter to manage this isn't pragmatic. Instead, it is best to put some conditional checks right here to check user credentials, and optionally render the hyperlink.
def footer(self): """Standard footer used for all pages.""" footer = "" if "ROLE_EDIT" in SecurityContextHolder.getContext(). authentication.granted_auths: footer += """ <ul> <li><a href="/edit/""" + self.article + """">Edit </a></li> </ul> """ footer += """ <a href="http://springpythonbook.com">Spring Python book </a> </body> """ return footer
SecurityContextHolder is a globally accessible object. It contains a context, which specifies where the current authentication credentials are being stored.
- If
SecurityContextHolderis configured with mode"GLOBAL", then there is a single context for the entire Python VM, meaning all threads will see the same security credentials - If
SecurityContextHolderis configured with mode"THREADLOCAL", then the context is stored inthreading.local(), meaning there is a separate context for each thread. This is useful for multi-threaded server apps where a separate thread exists for each user
By the time this code is actually executed, SecurityContextHolder will have been populated with user data, allowing us to do a quick check and only offer this link of the user has the necessary role, without altering our application API. This satisfies the requirement: 'credential data and other security APIs must be available non-intrusively'.